[ISN] Certification Next Wave for Security Professionals

From: mea culpa (jerichoat_private)
Date: Mon Aug 31 1998 - 21:41:03 PDT

  • Next message: mea culpa: "[ISN] Big Brother Wants to Watch"

    Forwarded From: blueskyat_private
    
    Internetweek
    Monday, August 31, 1998, 11:45 a.m. ET. 
    
    Certification Next Wave for Security Professionals
    
    By RUTRELL YASIN 
    
    Accountants are certified. Engineers are certified. Why not security
    professionals? 
    
    As more security companies launch professional services divisions, IT
    managers could require their security consultants to have some
    industry-approved credentials that prove they have a high-level of
    technical proficiency and ethical code of behavior. 
    
    Secure Computing Corp. wants to be ahead of this wave. The network
    security vendor, which established a services division in April, this week
    will announce that 17 of its professional services consultants have been
    certified by the International Information Systems Security Certification
    Consortium (ISC2). 
    
    ISC2 awards the Certified Information Systems Security Professional
    (CISSP) designation to security experts who have passed a rigorous
    examination. The exam consists of all the major elements of the
    information systems security Common Body of Knowledge, ranging from access
    control to law, investigations and ethics. 
    
    Security administrators familiar with the CISSP exam said the ISC2 stamp
    of approval would definitely carry weight in their decision of whether to
    bring in consultants. But they stopped short of saying it is a necessary
    requirement. 
    
    "Would it be important for me?" to hire a CISSP-certified consultant,
    asked John Patterson, a security administrator at Oppenheimer Funds Inc.,
    a stock-trading company with $75 billion in assets.
    
    "I don't know right now if I would make it a requirement. But if two
    consultants [are bidding for a project] and one had CISSP after his name,
    that would definitely weigh in his favor,"  Patterson said. But since
    there is a shortage of skilled experts in the industry, "we are not in the
    position to mandate that every security consultant should be certified." 
    
    According to Linda Erickson, who earned her CISSP this summer, "There's a
    growing emphasis on professional certification for technology
    professionals across the board."  Erickson is an administrator with the
    Minnesota Department of Human Services. "Industrywide certification helps
    set the baseline for professional relationships with our trusted business
    partners," she said. 
    
    But to be effective, certification has to be relevant to what users are
    trying to do, said Aberdeen Group analyst Eric Hemmendinger. 
    
    If a security company is doing penetration testing of an organization's
    infrastructure, then the consultant should know the different ways to
    break into networks. His knowledge is not product specific. 
    
    On the other hand, if the consultant is deploying a specific product,
    "what you want is some confidence that he is knowledgeable about the
    solution," Hemmendinger said. For example, a consultant may know a lot
    about firewalls but very little about how to integrate them with other
    security tools, he added. 
    
    Officials at Secure Computing view certifications as a way for its
    consultants to differentiate their expertise--at least on paper.  Once
    they are in the door, their work speaks for itself, said John Sekevitch,
    vice president of professional services at Secure. 
    
    The company wants all of its 35-member staff to be certified. With 17
    consultants certified, Secure claims it has more certified professionals
    than any other IT company including AT&T and IBM. 
    
    "Certification is the wave of the future,"  Sekevitch said. Currently, of
    the 20,000 security professionals--in government, commercial and
    international sectors--about 700 are certified.  And 300 of those were
    "grandfathered in,"  receiving their credentials prior to the
    establishment of ISC2 in 1989, he added. 
    
    Sekevitch also lauds ISC2 for demanding that certified security experts
    adhere to a strict code of ethics, a fact that is important due to the
    knowledge these experts hold. 
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:02:45 PDT